June 2018’s Patch Tuesday has come and gone and as usual, another batch of critical fixes and security patches are now being rolled out to Windows systems everywhere.
As you may very well know, Patch Tuesday typically falls on the second Tuesday of each month. The updates usually contain bug fixes, security patches and malware database refreshes for supported Windows operating systems and a slew of Microsoft and Adobe software products.
This time around, Microsoft issued fixes for 50 security flaws, 11 of them rated as critical, including a big security risk with Microsoft’s virtual assistant Cortana!
You definitely want to apply these updates as soon as you can.
Cortana security flaw
Revealed in March, the big security risk this month is this collection of flaws that would have allowed an attacker to access a locked computer by exploiting Cortana.
By using a combination of the virtual assistant’s quirks, a hacker can use voice commands to execute a variety of tasks like access private files, change passwords, download malware through a malicious website and even execute PowerShell scripts.
This Cortana flaw (CVE-2018-8140) is being classified by Microsoft as an elevation of privilege vulnerability. It was fixed with a patch that forces Cortana to consider a computer’s status before it retrieves information.
This is certainly a security flaw you will want to patch right away.
Still worried about “Hey Cortana?” Click here to learn how to turn it off.
Another critical flaw that was patched was a remote code execution vulnerability (CVE-2018-8225) in the Windows Domain Name System DNS.
This is a dangerous bug since it would have allowed a hacker to remotely take over a computer via a malicious DNS server that sends out corrupted DNS responses.
Microsoft Edge flaw
Adobe Flash Player Zero-Day
And as usual, Microsoft also bundled patches for Adobe products in its Patch Tuesday updates too.
This time it includes a fix for a critical Flash Player flaw (CVE-2018-4878) that is already being actively exploited by hackers. This scary zero-day bug would have allowed an attacker to remotely take over your computer by using poisoned Office documents loaded with malicious Flash content.
These were actually part of the out-of-band emergency updates that Adobe issued last month.
This flaw affects Flash Player 184.108.40.206 and earlier versions. If you still rely on using Flash Player for websites (you shouldn’t), it’s important that you update to the latest version 220.127.116.11 immediately.
Other important fixes included in June’s updates contain another remote execution flaw in Excel (CVE-2018-8248), seven Device Guard vulnerabilities in Windows 10 Enterprise and Server 2016 and two privilege escalation vulnerabilities in SharePoint Server and one in Office Web Apps Server.
A note-worthy fix is also included for remote code vulnerability in Internet Explorer (CVE-2018-8267,) which was already publicly disclosed earlier. You need to patch this soon before hackers can pounce on it.
How to update Windows
Most Windows machines are set to download and install updates automatically by default. If you haven’t changed your automatic update settings then you should be fine.
If you want to check, here’s how:
On Windows 10, click Start (Windows logo), choose “Settings,” select “Update & Security,” then on the “Windows Update” section, select “Check for Updates.” (Note: the “Windows Update” section is also handy for showing you updates that are currently being downloaded or applied.)
If you have an older Vista or Windows 7 system, check out our tips on how to set up and check Windows Updates.
For Chrome, Internet Explorer 11, and Microsoft Edge browsers, the updates should be applied automatically after a restart. For other browsers, you may need to update the Flash plugin manually.
The latest Flash Player version for Windows, Mac, Chrome, Microsoft Edge and Internet Explorer 11 and Linux is 18.104.22.168.